Mondex Revisited with Perfect Developer - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Mondex Revisited with Perfect Developer

Description:

... abstract transfer attempt to a concrete transfer attempt followed ... Each Purse has a single attribute: balance: nat. The world has the following attributes: ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 18
Provided by: davidc171
Category:

less

Transcript and Presenter's Notes

Title: Mondex Revisited with Perfect Developer


1
Mondex Revisitedwith Perfect Developer
  • David CrockerEscher Technologies Ltd.

2
Background to Perfect Developer
  • Its intended area of application is
    component-based software development
  • PD has facilities for
  • Specifying software components and systems
  • Refining the specifications (manually or
    automatically)
  • Verifying the specifications and any manual
    refinements
  • Generating ready-to-compile code
  • PD is designed and built around automated
    reasoning
  • There is no direct user interaction with the
    prover

3
System-level specifications in PD
  • A model of the system that surrounds the software
    is to be used can be expressed in PD
  • To help verify that the software specification is
    consistent with the required system behaviour
  • We did not intend that PD be used to refine
    system-level models

4
What we have donewith Mondex so far
  • At the Refinement Workshop in September 2004 we
    expressed the Mondex abstract world in PD
  • Using classes Purse, TransferDetails and AbWorld
  • We verified all verification conditions generated
    from the abstract world model using the automatic
    prover
  • No value created security property
  • All value accounted security property
  • 30 VCs arising from preconditions, class
    invariants and type constraints

5
Improvements made since the Refinement Workshop
  • We completed some work on the PD prover and
    mappings
  • Allows us to represent the world of purses as
    amap of (NAME-gtPurse) instead of a seq of
    Purse
  • We added a construct for directly representing
    guarded nondeterministic choice in schema
    postconditions
  • Provides a simpler way of translating Z schema
    disjunction to PD
  • so the current PD translation follows the Z
    original more closely
  • General improvements to the prover
  • Proof time down from 2 minutes to 20 seconds

6
Our goals in this project
  • Learn more about how to best represent
    system-level specifications in PD
  • Understand the limitations of the PD prover in
    this context, and overcome them
  • Achieve a fully automatic proof of the Mondex
    case study
  • Use what we have learned to make PD more usable
    for system-level verification

7
The top-level plan
  • Translate the concrete model from Z to PD
  • Adapt the refinement steps as needed
  • Make them more suitable for PD
  • Work on the unproven verification conditions
  • Where necessary, improve the prover and/or
    provide hints
  • Generate code for the purse and other components
  • If time, write a simple Java framework in which
    to exercise them

8
Nature of the Z refinement
  • Two stage refinement
  • The tricky one is from A to B
  • The retrieve relation is non-functional and
    non-deterministic
  • The Concrete and Between worlds have maybe lost
    and definitely lost values
  • Value that is maybe lost is value in transit
  • A finalization step is needed for the A to B
    refinement
  • All maybe lost value becomes successfully
    transferred or definitely lost

9
Refinement VCs in PD
  • Let R be the deterministic retrieve function,A
    be the abstract state space,C be the concrete
    state space,opA(a, a) be the abstract operation
    relating a to aopC(c, c) be the concrete
    operation relating c to c
  • ? cC ? pre R(c)
    R is total
  • ? cC ? R(c)A R maps all of
    C into A
  • ? cC ? pre opA(R(c)) gt pre opC(c)
    applicability
  • ? cC ? pre opA(R(c)) gt ? cC ? opC(c,
    c) gt opA(R(c), R(c)) correctness

10
Notes on refinement VCs
  • We do not attempt to prove that all states in A
    can be represented by states in C
  • There may be inaccessible abstract states
  • If the abstract and/or concrete operations are
    composed of multiple sequential private steps,
    then R need only hold in the initial and final
    states
  • The intermediate states are not observable
  • They may even violate the invariants of A and C
  • This is very common in software, e.g. updating a
    table and then its index

11
Multi-step operations
  • Suppose we refine opA1 then opA2 by opC1 then
    opC2
  • The correctness VC generated by PD is
  • ? cC ? pre opA(R(c)) gt ? c,cC ?
    opC1(c, c) opC2(c, c) gt ? aA ?
    opA1(R(c), a) opA2(a, R(c))
  • In PD the retrieve relation need not hold during
    unobserved intermediate states
  • So the question of the concrete model resolving
    nondeterminism earlier or later than the abstract
    does not arise unless the intermediate state is
    observed

12
Structuring the Mondex refinement
  • We still need a finalization step
  • Because the abstract model describes atomic
    transactions (no concept of value in transit)
  • In theory, we could use a single-step approach
  • Refine an abstract transfer attempt to a concrete
    transfer attempt followed by finalization
  • but we intend to try 2-step refinement
  • Our between-world is not the same as the Z
    original
  • It is closer to the abstract world than the Z
    between-world
  • Its purpose is to introduce value in transit

13
Our Between-World
  • Each Purse has a single attribute balance nat
  • The world has the following attributes
  • purses map of (NAME -gt Purse)
  • lost map of (NAME -gt nat)
  • inTransit map of (NAME -gt map of (NAME -gt nat))
  • lost is an attribute of the world, not of Purse,
    because an individual purse cannot know whether
    missing value has been lost or is still in
    transit
  • inTransit describes all value that has left one
    purse for another but neither reached it nor been
    declared lost

14
Transactions in the Between-World
  • A successful transaction is performed in two
    steps
  • Move value from fromPurse.balance to inTransit
  • Move value from inTransit to toPurse.balance
  • A lost transaction fails to perform the second
    step
  • Finalization moves all inTransit value to lost
  • We can state security properties for all three
    operations
  • tBalance tInTransit tBalance
    tInTransittBalance tInTransit tLost
    tBalance tInTransit tLost

15
Where we go from here
  • Specify and verify the between model (just
    started)
  • Verify it for well-formedness and consistency
  • Verify that the security properties hold
  • Verify that it refines the abstract model
  • Specify and verify the concrete model
  • Initially, we will leave out the movement of
    exception logs from purses to the system (either
    add this to the model later, or treat it as
    another refinement)
  • Verify it for consistency
  • Verify that it refines the between-model

16
Questions?What do you think of our approach?
17
Software inevitably contains bugs
- lets dispel that myth!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Mondex Revisited with Perfect Developer" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!